Vulnerability Name:

CVE-2003-0189 (CCN-12091)

Assigned:2003-05-28
Published:2003-05-28
Updated:2021-06-06
Summary:The authentication module for Apache 2.0.40 through 2.0.45 on Unix does not properly handle threads safely when using the crypt_r or crypt functions, which allows remote attackers to cause a denial of service (failed Basic authentication with valid usernames and passwords) when a threaded MPM is used.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-Other
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2003-0189

Source: CONECTIVA
Type: UNKNOWN
CLA-2003:661

Source: BUGTRAQ
Type: UNKNOWN
20030528 [SECURITY] [ANNOUNCE] Apache 2.0.46 released

Source: CCN
Type: RHSA-2003-186
Updated httpd packages fix Apache security vulnerabilities

Source: CCN
Type: SA8881
Apache Denial of Service and Potential System Compromise Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
8881

Source: CCN
Type: Apache Web site
Apache 2.0.46 Released

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www.apache.org/dist/httpd/Announcement2.html

Source: CCN
Type: CIAC Information Bulletin N-099
Apache 2.0.46 Release Fixes Security Vulnerabilities

Source: CCN
Type: CIAC Information Bulletin N-146
Apache 2.0.47 Release Fixes Security Vulnerabilities

Source: CCN
Type: US-CERT VU#479268
Apache HTTPD contains denial of service vulnerability in basic authentication module

Source: CERT-VN
Type: US Government Resource
VU#479268

Source: CCN
Type: OSVDB ID: 9714
Apache Authentication Module Threaded MPM DoS

Source: REDHAT
Type: Patch, Vendor Advisory
RHSA-2003:186

Source: CCN
Type: Gentoo Linux Security Announcement 2002-05-13
apache-2.x - denial of service

Source: BID
Type: UNKNOWN
7725

Source: CCN
Type: BID-7725
Apache Basic Authentication Module Valid User Login Denial Of Service Vulnerability

Source: XF
Type: UNKNOWN
apache-aprpasswordvalidate-dos(12091)

Source: XF
Type: UNKNOWN
apache-aprpasswordvalidate-dos(12091)

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20200401 svn commit: r1058586 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073140 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210606 svn commit: r1075470 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210603 svn commit: r1075360 [1/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1888194 [2/13] - /httpd/site/trunk/content/security/json/

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20200401 svn commit: r1058587 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073143 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073149 [3/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210606 svn commit: r1075467 [1/2] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073139 [2/13] - in /websites/staging/httpd/trunk/content: ./ security/json/

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:http_server:2.0.44:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.45:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.40:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.41:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.42:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.43:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:apache:http_server:2.0.42:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.40:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.41:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.43:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.44:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.45:*:*:*:*:*:*:*
  • AND
  • cpe:/o:hp:hp-ux:11.00:*:*:*:*:*:*:*
  • OR cpe:/o:hp:hp-ux:11.11:*:*:*:*:*:*:*
  • OR cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:hp:hp-ux:11.22:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:9.1:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:conectiva:linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:9.1::ppc:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    apache http server 2.0.44
    apache http server 2.0.45
    apache http server 2.0.40
    apache http server 2.0.41
    apache http server 2.0.42
    apache http server 2.0.43
    apache http server 2.0.42
    apache http server 2.0.40
    apache http server 2.0.41
    apache http server 2.0.43
    apache http server 2.0.44
    apache http server 2.0.45
    hp hp-ux 11.00
    hp hp-ux 11.11
    gentoo linux *
    redhat linux 8.0
    hp hp-ux 11.22
    mandrakesoft mandrake linux 9.1
    redhat linux 9.0
    conectiva linux 9.0
    mandrakesoft mandrake linux 9.1